Sonicwall TZ-170
Your here: Home / Network / Hardware Specific / Sonicwall / TZ-170 __TOC__ NOTE: During configuration or flashing a device, the only that should be hooked to the device is the computer and power. Specs This section is in need of cleanup! Platform Serial Num. = ? FCC ID = ? CPU Type = SONICWALL 156-000022-00 MIPS Rev = ? CPU Speed = ? Bus = ? Flash Type = ? Flash Chip = TOSHIBA TC58FVM6T2AFT65 Flash Size = 8MB Max Firmware Size = ? RAM Size = 64MB RAM Chip = INFINEON HYB39S256160DTL-7 nvram Size = ? Switch = Broadcom BCM5325MA2KQM WAN = Broadcom BCM5221A4KPT OPT = Broadcom BCM5221A4KPT Console = TEXAS INSTRUMENTS MAX3243C Port-based vlan = ? 802.1q vlan = ? Ethernet Port Count = ? Wired Standard = IEEE 802.3? boot_wait = ? bootloader = ? Flash Card Socket/Type = ? SD/MMC Mod Support = ? MiniPCI slots = No PoE = ? Power = 5V/2.4A Color of LEDs = Green Size = ? USB = ? Serial Port = Management port on back JTAG Port = ? Supported by TJTAG/Version = ? Special Features = ? Radio Wireless Radio = ? WLAN DSP processor = ? Antenna Connector Type = ? Wireless Standard = ??? IEEE 802.11a/b/g/n WiFi Operating Frequency = ? ??? 802.11n = up to 300Mbps ??? 802.11g = 6, 9, 12, 18, 24, 36, 48, 54Mbps ??? 802.11b = 1, 2, 5.5, 11Mbps ??? 802.11a = 6, 9, 12, 18, 24, 36, 48, 54Mbps Radio cor_rev = ? Radio Capabilities = ? Links of Interest * (INFODUMP) Sonicwall TZ-170 Flashing This section is in need of cleanup! Upgrading This section is in need of cleanup! Reverting This section is in need of cleanup! JTAG/Serial Info JTAG JTAG Pinouts This section is in need of cleanup! JTAG Recovery This section is in need JTAG Recovery Instructions! Serial Serial Pinouts TP1 > VCC TP2 > TST_CLK TP3 > 3V3 TP4 > 1V8 TP5 > GND TP6 > GND Hyper terminal Setup in Windows XP In Windows XP, Click Start Button - All Programs - Accessories - Communication - HyperTerminal Enter a name for the connection, Click ok Choose com port you adapter is plugged into, Click ok Set: Bits per second = 115200 Data Bits = 8 Parity = none Stop bits = 1 Flow control = none Click ok Click File - Save As, and select a place to save it to so you don't have to enter the settings again. Putty Setup in Windows XP After installing putty, run it Serial line = The COM port your using for serial (ie. COM3) Speed = 115200 Click on Serial under Connection Serial line to connect to = same as above (Serial line) Speed (baud) = 115200 Data bits = 8 Stop bits = 1 Parity = None Flow control = None Click Session Enter a name for your connection under saved sessions Click Save Click Open Serial Recovery This section is in need of Serial Recovery Instructions! USB Info This section is in need of cleanup! vlan Info This section is in need of cleanup! Pictures This section is in need of cleanup! FCC Pictures This section is in need of cleanup! Notes Can't seem to find a TX or RX, but then again I'm not terribly familiar with serial communications either. Maybe I missed something? Firmware Offsets 0x0000 > Section 1 bytes * AF 08 12 30 2C 02 14 "Magic" header, 8 bytes. Found in all firmware images for TZ170 and one image for TZ-150. 0x0080 > Section 2 bytes 0x0300 > Section 3 bytes * 0x0300 - Always "SonicOS Standard" from what I can tell * 0x0320 - Firmware revision number, displayed verbatim in web interface * 0x0340 - Compiling machine name (?) * 0x0380 - Compiling user name (pseudo-confirmed) 0x03c0 > Section 4 data [ to EOF ] Mystery Filesystem I could almost write an entirely different post for all the time that I spent decoding this. Having very little prior experience with filesystems, it was definitely a learning adventure to say the least. I haven't been able to figure out how the device decides where this filesystem begins and where it ends, but I am 100% certain that I've decoded the FAT table for whatever filesystem this is. It's worth noting that when you do, however, find the beginning of the FAT table, from that address to the end of the firmware image is the entirety of the filesystem (checked and confirmed by myself on multiple firmware versions). A FAT entry for this system looks as follows: 00 00 3E C6 00 00 25 68 00 00 86 7A 0D 65 76 65 6E 74 6C 69 73 74 2E 74 78 74 00 . . > Æ . . % h . . † z . e v e n t l i s t . t x t . 0x0000 - 0x0003 <> Location of file, offset from head of filesystem 0x0004 - 0x0007 <> Size of file in filesystem 0x0008 - 0x000B <> Size of file extracted and uncompressed/decrypted 0x000C <> Length of filename text 0x000D - to length <> filename + null character The head of the filesystem is calculated by finding the first entry in the FAT, and subtracting 4 bytes. The 4 bytes before the first entry indicate how many files are stored in the system. For instance, for firmware version 3.1.0.15, there are 511 files contained in the image (encrypted of course). If you do a hex search for 0x01ffh you will find two entries. The first is in the header, the second is about halfway to the end of the file. The second one is what we're looking at. From there, we know that immediately following this WORD value is the first entry in the FAT for "eventlist.txt". The end of the filesystem can be calculated using the first FAT entry. For the "footer" of this filesystem, there are 8 bytes (two WORD values), right before the offset indicated by the first FAT entry. I have as of right now been unable to figure out what these values are in relation to everything else. They're not a static signature as they vary slightly between firmware versions. However, from what I can tell the first 3 bytes are always 78h 9Ch (unconfirmed). Hope I haven't forgotten anything! Firmware File Names/Versions * sw_tz170_s_eng_3.0.0.4.sig - Version 3.0.0.4 - [ MD5: d3f1c4a1db420ce05cec01a4b822baae ] * sw_tz170_s_eng_3.1.0.15.sig - Version 3.1.0.15 - [ MD5: 25f33a66b98e530766b875b76b382370 ] * sw_tz170_s_eng_3.1.0.2.sig - Version 3.1.0.2 - [ MD5: a2a66ddc1921cff321c16202d3c704dd ] Miscellaneous Points of Note * The system OS is probably VxWorks based... * As of right now I can not get the TZ-170 to take any modified firmware image. This consisted of editing the "username" field in the header, to which the SonicWall cried out as it was not a "signed" firmware image. * I have just ordered an RS-232 TTL converter, and as soon as that gets here I will be poking around on the board looking for a secondary UART port. There are some nice pin groupings on the PCB that I can't wait to probe! * Figuring that I won't have any luck with the TTL converter, I will be trying to find the JTAG pinout of the processor, and hopefully I can dump something interesting/useful. Maybe I'll be able to sign those images! I'll be doing this with an Arduino, because I feel this affords me more flexibility when probing for pins. Plus, you know, Arduino! * This took me an hour and a half to organize and write, but probably just a few minutes for you to read! :] Requests/How You Can Help My eventual goal is to port OpenWRT/DD-WRT to this appliance, and hopefully this whole series of appliances! But as of right now I have hit a dead end. So if you have any ideas, experience, or hardware you'd like to contribute to this cause, please feel free to post/message me! Particularly, if you can shed any light onto how these images are encrypted/signed, I would be forever grateful. Also, you're wondering how you're supposed to obtain the firmware images listed above. There is a reason I have included the filename + the MD5 checksum. I'm not entirely sure, however, if Googling these files will return any results. If you would like me to send these images to you for reversing purposes, just message me. I have a nice little 7z archive will all three versions mentioned above sitting on my desktop. Lastly, thank you for taking the time to read this! Hardware Modification Category: English Documentation Category: Sonicwall Category: Fix Me! Category:Broadcom